locked
VSS event 8193 0x80070005, Access is denied, Initializing Writer following DHCP install

    Question

  • Discovered an issue that I can reproduce at will.  Default full install of 2008 R2 build 7600, if I complete the server install and add the DHCP role, every server start results in the following Application Event Log:

     

    event id: 8193

    Volume Shadow Copy Service error: Unexpected error calling routine RegOpenKeyExW(-2147483646,SYSTEM\CurrentControlSet\Services\VSS\Diag,...). hr = 0x80070005, Access is denied.

    Operation:

    Initializing Writer

     

    In addition to the startup instance of the event, it will also recur at will by doing a net stop/start of cryptsvc resulting in the same event in the application log.  If DHCP is not installed, it is completely happy.  Uninstalling the DHCP role does not clear the error, though an "upgrade" install of Server after removing DHCP does clear it...I miss the old repair install capability   :(

     

    This error does not prevent the functioning of DHCP or any other component of the server that I have found in my brief testing, but I am concerned about putting it in to production to later find out what trouble might arise down the road.

    Wednesday, August 26, 2009 8:27 PM

Answers

  • Also receiving the exact same issue here. I found this page with a fix: http://www.jcarle.com/2009/09/06/fixing-the-volume-shadow-copy-service/
    • Marked as answer by David Shen Tuesday, September 08, 2009 10:56 AM
    Sunday, September 06, 2009 5:07 AM

All replies

  • I did an in place upgrade from 2008 to 2008R2 of a machine that hosted a DHCP role, I have the same error. I haven't yet resolved it.
    DG
    Thursday, August 27, 2009 11:05 PM
  • Same problem here on one of two 2008 R2 machines. Both are DCs, both have DHCP role installed, but only on one machine the error occurs. The second machine has no DHCP scope active.
    cu, Ingo [MVP - Windows Desktop Experience]
    Friday, August 28, 2009 9:51 PM
  • Perhaps my mistake was I never really asked a question...I only stated my findings.  I guess my question would be does anyone know how to eliminate the error without resorting to not running DHCP, or secondarily, any thoughts on if it is a serious issue and what problems could pop up later, and/or can it perhaps be safely ignored?

    Sunday, August 30, 2009 11:26 PM
  • Bueller?  Bueller?

    Following another path...Are either of you gentlemen who are also experiencing the error seeing any impact as a result, or does the server and the DHCP service seem to be operating normally despite the event log error?  Any concerns other than curiosity due to the error involving two seemingly unrelated services: DHCP and VSS?

    Friday, September 04, 2009 3:07 PM
  • Also receiving the exact same issue here. I found this page with a fix: http://www.jcarle.com/2009/09/06/fixing-the-volume-shadow-copy-service/
    • Marked as answer by David Shen Tuesday, September 08, 2009 10:56 AM
    Sunday, September 06, 2009 5:07 AM
  • Nice find on the jcarle site, I appreciate that.  I would however consider that to be more of a workaround than a fix.  If you extend that solution to a ridiculous level and gave "Everyone" full control to every registry key, it would also "fix" the VSS error, but you would clearly not want to do that.

     

    I would still be interested in knowing what the relationship between DHCP and the VSS service are, if the install of DHCP is incorrectly applying some settings or creating an association somewhere in error, and is potentially known and being worked on for a fix.  I would also like to know of any potential downside to modifying those permissions in the suggested workaround, and if there is any exceptional risk to taking that path.  The other possibility would be a confirmation that there is no real problem and it is fine to just live with the error in the log vs. modifying security settings unnecessarily or taking any other action at all.

    Sunday, September 06, 2009 2:15 PM
  • It's always simple :).
    When DHCP server is installed it incorrectly rewrites permissions on [...\CurrentControlSet\Services\VSS\Diag] key (and all subkeys).
    Here are some details:

    1)key permissions BEFORE dhcp installation (SDDL):
    /sddl=O:SYG:SYD:PARAI(A;;KA;;;BA)(A;;KA;;;SY)(A;;CCDCLCSWRPSDRC;;;BO)(A;;CCDCLCSWRPSDRC;;;LS)(A;;CCDCLCSWRPSDRC;;;NS)(A;IO;RC;;;OW)(A;;KR;;;BU)(A;CIIO;GR;;;BU)(A;CIIO;GA;;;BA)(A;CIIO;GA;;;BO)(A;CIIO;GA;;;LS)(A;CIIO;GA;;;NS)(A;CIIO;GA;;;SY)

    2)and now what happens after "DHCP Server Role" is installed (SDDL):
    /sddl=O:SYG:SYD:ARAI(A;CI;CCDCLCSW;;;S-1-5-80-3273805168-4048181553-3172130058-210131473-390205191)(A;ID;KR;;;BU)(A;CIIOID;GR;;;BU)(A;ID;KA;;;BA)(A;CIIOID;GA;;;BA)(A;ID;KA;;;SY)(A;CIIOID;GA;;;SY)(A;CIIOID;GA;;;CO)

    If you take a closer look - you'll notice that this SDs (security descriptors) are quite different. BTW, SID starting with S-1-5-80-... - this is NT SERVICE\DHCPServer.

    Now let's get back to our "Access Denied" error.
    On any 2008(R2) Server we always have service "Cryptographic Services" running and set to Autostart. And it runs under NetworkService account. Every time when this service is started it initializes it's "VSS Writer" (VSS provider used to backup local cert stores). And this VSS provider tries to get Read/Write access to our key (...\Diag). As it does that from inside CryptSvc service - it uses NetworkService account to get this access.
    But inside the second SD there is no permission for NetworkService at all! So, we have our error messsage in event log every time CryptSvc starts.

    Now how to revert that changes to system original? I used subinacl utility from 2003 resource kit tools (you have to download an updated version v5.2.3790.1180 from MS site) like this:

    subinacl /keyreg HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VSS\Diag /sddl=O:SYG:SYD:PARAI(A;;... here goes original SD - from 1) ... GA;;;SY)

    But after that you have to open REGEDIT, navigate to [...\Diag] key, open it's permissions -> Advanced -> "Replace all child object permissions ...." -> Ok -> Ok.

    Only after that you'll have system original permissions on that key and all subkeys.

    • Proposed as answer by AlexVD Wednesday, February 24, 2010 4:58 AM
    Wednesday, February 24, 2010 4:54 AM
  • This is so easily re-created!  Has anyone opened a ticket with Microsoft to report this bug?

    Tuesday, May 18, 2010 8:33 PM
  • From what I understand in the post, it wants you to allow full control to the user.

    Writer Name is System Writer

    From the binary dat

    CMd is Windows\system32\svchost.exe -k networkservice

    User Name NT AUTHORITY\NETWORK SERVICE S-1-5-20

     

    When I navigate to the reg keys as shown in the blog, there is no user name as provided above

    I am new to servers, how do I allow full control if the user provided above is not in the keys?

     

    Confused

    David

    Thursday, June 24, 2010 2:57 PM